| .TH vzctl 8 "12 May 2011" "OpenVZ" "Containers" |
| .SH NAME |
| vzctl \- utility to control an OpenVZ container. |
| .SH SYNOPSIS |
| vzctl [\fIflags\fR] \fBcreate\fR \fICTID\fR |
| [\fB--ostemplate\fR \fIname\fR] [\fB--config\fR \fIname\fR] |
| [\fB--private\fR \fIpath\fR] [\fB--root\fR \fIpath\fR] [\fB--ipadd\fR \fIaddr\fR] [\fB--hostname\fR \fIname\fR] |
| .PP |
| vzctl [\fIflags\fR] \fBset\fR \fICTID\fR \fIparameters\fR [\fB--save\fR] |
| .PP |
| vzctl [\fIflags\fR] \fBdestroy\fR | \fBmount\fR | \fBumount\fR | |
| \fBstart\fR | \fBstop\fR | \fBrestart\fR | |
| \fBstatus\fR | \fBquotaon\fR | \fBquotaoff\fR | \fBquotainit\fR \fICTID\fR |
| .PP |
| vzctl [\fIflags\fR] \fBexec\fR | \fBexec2\fR \fICTID\fR |
| \fIcommand\fR [\fIarg\fR ...] |
| .PP |
| vzctl [\fIflags\fR] \fBenter\fR \fICTID\fR [\fB--exec \fIcommand\fR |
| [\fIarg\fR ...]] |
| .PP |
| vzctl [\fIflags\fR] \fBrunscript\fR \fICTID\fR \fIscript\fR |
| .PP |
| vzctl \fB--help\fR | \fB--version\fR |
| .SH DESCRIPTION |
| Utility \fBvzctl\fR runs on the host system (otherwise known as Hardware Node, |
| or HN) and performs direct manipulations with containers (CTs). |
| .PP |
| Containers can be referred to by either numeric \fICTID\fR or |
| by name (see \fB--name\fR option). Note that CT ID <= 100 are reserved for |
| OpenVZ internal purposes. |
| .SH OPTIONS |
| |
| .SS Flags |
| |
| These flags come before a command, and can be used with any command. |
| They affect logging to console (terminal) only, and do not affect logging |
| to a log file. |
| .IP \fB--quiet\fR 4 |
| Disables output. Note that scripts run by vzctl are still able to produce |
| some output. |
| .IP \fB--verbose\fR 4 |
| Increments logging level up from the default. Can be used multiple times. |
| Default value is set to the value of \fBVERBOSE\fR parameter in the global |
| configuration file \fBvz.conf\fR(5), or to \fB0\fR if not set by |
| \fBVERBOSE\fR parameter. |
| |
| .SS Setting container parameters |
| |
| .IP "\fBset\fR \fICTID\fR \fIparameters\fR [\fB--save\fR] [\fB--force\fR]" 4 |
| This command sets various container parameters. If a \fB--save\fR flag is given, |
| parameters are saved in container configuration file \fBctid.conf\fR(5). |
| Use \fB--force\fR to save the parameters even if the current kernel |
| doesn't support OpenVZ. |
| If the container is currently running, \fBvzctl\fR applies these parameters |
| to the container. |
| |
| The following parameters can be used with \fBset\fR command. |
| |
| .TP |
| .B Miscellaneous |
| .TP |
| \fB--onboot\fR \fByes\fR | \fBno\fR |
| Sets whether the container will be started during system boot. |
| The container will not be auto-started unless this parameter |
| is set to \fByes\fR. |
| .TP |
| \fB--bootorder\fR \fInumber\fR |
| Sets the boot order priority for this CT. The higher the \fInumber\fR is, |
| the earlier in the boot process this container starts. By default this |
| parameter is unset, which is considered to be the lowest priority, so |
| containers with unset \fBbootorder\fR will start last. |
| .TP |
| \fB--root\fR \fIpath\fR |
| Sets the path to root directory for this container. This is essentially a mount |
| point for container's root directory. Argument can contain literal string |
| \fB$VEID\fR, which will be substituted with the numeric CT ID. |
| Changing this parameter is not recommended, better edit |
| \fBvz.conf\fR(5) global configuration file. |
| .TP |
| \fB--userpasswd\fR \fIuser\fR:\fIpassword\fR |
| Sets password for the given user in a container, creating the user if |
| it does not exists. |
| Note that this option is not saved in configuration file at all (so |
| \fB--save\fR flag is useless), it is applied to the container (by modifying its |
| \fB\f(CR/etc/passwd\fR and \fB\f(CR/etc/shadow\fR files). |
| |
| In case container root filesystem is not mounted, it is automatically mounted, |
| then all the appropriate file changes are applied, then it is unmounted. |
| |
| Note that container should be created before using this option. |
| .TP |
| \fB--disabled\fR \fByes\fR | \fBno\fR |
| Disable container start. To force the start of a disabled container, |
| use \fBvzctl start --force\fR. |
| .TP |
| \fB--name\fR \fIname\fR |
| Add a name for a container. The \fIname\fR can later be used in |
| subsequent calls to \fBvzctl\fR in place of \fICTID\fR. |
| .TP |
| \fB--description\fR \fIstring\fR |
| Add a textual description for a container. |
| .TP |
| \fB--setmode\fR \fBrestart\fR|\fBignore\fR |
| Whether to restart a container after applying parameters that require |
| the container to be restarted in order to take effect. |
| |
| .TP |
| .B Networking |
| .TP |
| \fB--ipadd\fR \fIaddr\fR |
| Adds IP address to a given container. Note that this option is incremental, so |
| \fIaddr\fR are added to already existing ones. |
| .TP |
| \fB--ipdel\fR \fIaddr\fR | \fBall\fR |
| Removes IP address \fIaddr\fR from a container. If you want to remove all |
| the addresses, use \fB--ipdel all\fR. |
| .TP |
| \fB--hostname\fR \fIname\fR |
| Sets container hostname. \fBvzctl\fR writes it to the appropriate file inside a |
| container (distribution-dependent). |
| .TP |
| \fB--nameserver\fR \fIaddr\fR |
| Sets DNS server IP address for a container. If you want to set several |
| nameservers, you should do it at once, so use \fB--nameserver\fR option |
| multiple times in one call to \fBvzctl\fR, as all the name server values |
| set in previous calls to \fBvzctl\fR are overwritten. |
| .TP |
| \fB--searchdomain\fR \fIname\fR |
| Sets DNS search domains for a container. If you want to set several search |
| domains, you should do it at once, so use \fB--searchdomain\fR option |
| multiple times in one call to \fBvzctl\fR, as all the search domain values |
| set in previous calls to \fBvzctl\fR are overwritten. |
| .TP |
| \fB--netif_add\fR \fIifname[\fR,\fImac\fR,\fIhost_ifname\fR,\fIhost_mac\fR,\fIbridge]\fR |
| Adds a virtual Ethernet device (veth) to a given container. Here \fIifname\fR |
| is the Ethernet device name in the container, \fImac\fR is its MAC address, |
| \fIhost_ifname\fR is the Ethernet device name on the host, and |
| \fIhost_mac\fR is its MAC address. MAC addresses should be in the format |
| like XX:XX:XX:XX:XX:XX. \fIbridge\fR is an optional parameter which can be |
| used in custom network start scripts to automatically add the interface |
| to a bridge. All parameters except \fIifname\fR are optional |
| and are automatically generated if not specified. |
| .TP |
| \fB--netif_del\fR \fIdev_name\fR | \fBall\fR |
| Removes virtual Ethernet device from a container. If you want to remove all |
| devices, use \fBall\fR. |
| |
| .TP |
| .B veth interface configuration |
| .PP |
| The following options can be used to reconfigure the already-created virtual |
| Ethernet interface. To select the interface to configure, use |
| \fB--ifname\fR \fIname\fR option. |
| .TP |
| \fB--mac\fR \fIXX:XX:XX:XX:XX:XX\fR |
| MAC address of interface inside a container. |
| .TP |
| \fB--host_ifname\fR \fIname\fR |
| interface name for virtual interface in the host system. |
| .TP |
| \fB--host_mac\fR \fIXX:XX:XX:XX:XX:XX\fR |
| MAC address of interface in the host system. |
| .TP |
| \fB--bridge\fR \fIname\fR |
| Bridge name. Custom network start scripts can use this value to automatically |
| add the interface to a bridge. |
| .TP |
| \fB--mac_filter\fR \fBon\fR | \fBoff\fR |
| Enables/disables MAC address filtering for the Container veth device and |
| the possibility of configuring the MAC address of this device from inside |
| the Container. If the filtering is turned on: |
| .br |
| \(bu the veth device accepts only those packets that have a MAC address in |
| their headers corresponding to that of this device (excluding all broadcast |
| and multicast packets); |
| .br |
| \(bu it is impossible to modify the veth MAC address from inside the Container. |
| |
| By default, this functionality is enabled for all veth devices existing |
| inside the Container. |
| |
| .TP |
| .B Resource limits |
| .PP |
| The following options sets barrier and limit for various user beancounters. |
| Each option requires one or two arguments. In case of one argument, |
| \fBvzctl\fR sets barrier and limit to the same value. In case of |
| two colon-separated arguments, the first is a barrier, |
| and the second is a limit. Each argument is either a number, a number |
| with a suffix, or a special value \fBunlimited\fR. |
| |
| Arguments are in items, pages or bytes. Note that page size |
| is architecture-specific, it is 4096 bytes on x86 and x86_64 platforms. |
| |
| You can also specify different suffixes for \fBset\fR parameters |
| (except for the parameters which names start with \fBnum\fR). |
| For example, \fBvzctl set\fR \fICTID\fR \fB--privvmpages 5M:6M\fR |
| should set \fBprivvmpages\fR' barrier to 5 megabytes and its limit |
| to 6 megabytes. |
| |
| Available suffixes are: |
| .br |
| \fBg\fR, \fBG\fR -- gigabytes. |
| .br |
| \fBm\fR, \fBM\fR -- megabytes. |
| .br |
| \fBk\fR, \fBK\fR -- kilobytes. |
| .br |
| \fBp\fR, \fBP\fR -- pages (page is 4096 bytes on x86 architecture, |
| other architectures may differ). |
| |
| You can also specify the literal word \fBunlimited\fR in place of a number. |
| In that case the corresponding value will be set to \fBLONG_MAX\fR, i. e. |
| the maximum possible value. |
| .TP |
| \fB--numproc\fR \fIitems\fR[:\fIitems\fR] |
| Maximum number of processes and kernel-level threads. |
| Setting the barrier and |
| the limit to different values does not make practical sense. |
| .TP |
| \fB--numtcpsock\fR \fIitems\fR[:\fIitems\fR] |
| Maximum number of TCP sockets. This parameter limits the number of TCP |
| connections and, thus, the number of clients the server application can |
| handle in parallel. |
| Setting the barrier and |
| the limit to different values does not make practical sense. |
| .TP |
| \fB--numothersock\fR \fIitems\fR[:\fIitems\fR] |
| Maximum number of non-TCP sockets (local sockets, UDP and other types |
| of sockets). |
| Setting the barrier and |
| the limit to different values does not make practical sense. |
| .TP |
| \fB--vmguarpages\fR \fIpages\fR[:\fIpages\fR] |
| Memory allocation guarantee. This parameter controls how much memory is |
| available to a container. The barrier is the amount |
| of memory that container's applications are guaranteed to be able to allocate. |
| The meaning of the limit is currently unspecified; it should be set to |
| \fBunlimited\fR. |
| .TP |
| \fB--kmemsize\fR \fIbytes\fR[:\fIbytes\fR] |
| Maximum amount of kernel memory used. This parameter is related to |
| \fB--numproc\fR. Each process consumes certain amount of kernel memory - |
| 16 KB at least, 30-50 KB typically. Very large processes may consume |
| a bit more. It is important to have a certain safety gap between the |
| barrier and the limit of this parameter: equal barrier and limit may |
| lead to the situation where the kernel will need to kill container's |
| applications to keep the \fBkmemsize\fR usage under the limit. |
| .TP |
| \fB--tcpsndbuf\fR \fIbytes\fR[:\fIbytes\fR] |
| Maximum size of TCP send buffers. |
| Barrier should be not less than 64 KB, and difference between |
| barrier and limit should be equal to or more than value of |
| \fBnumtcpsock\fR multiplied by 2.5 KB. |
| .TP |
| \fB--tcprcvbuf\fR \fIbytes\fR[:\fIbytes\fR] |
| Maximum size of TCP receive buffers. |
| Barrier should be not less than 64 KB, and difference between |
| barrier and limit should be equal to or more than value of |
| \fBnumtcpsock\fR multiplied by 2.5 KB. |
| .TP |
| \fB--othersockbuf\fR \fIbytes\fR[:\fIbytes\fR] |
| Maximum size of other (non-TCP) socket send buffers. If container's processes |
| needs to send very large datagrams, the barrier should be set accordingly. |
| Increased limit is necessary for high performance of communications through |
| local (UNIX-domain) sockets. |
| .TP |
| \fB--dgramrcvbuf\fR \fIbytes\fR[:\fIbytes\fR] |
| Maximum size of other (non-TCP) socket receive buffers. If container's |
| processes needs to receive very large datagrams, the barrier should be set |
| accordingly. The difference between the barrier and the limit is not needed. |
| .TP |
| \fB--oomguarpages\fR \fIpages\fR[:\fIpages\fR] |
| Guarantees against OOM kill. Under this beancounter the kernel accounts the |
| total amount of memory and swap space used by the container's processes. |
| The barrier of this parameter is the out-of-memory guarantee. If the |
| \fBoomguarpages\fR usage is below the barrier, processes of this container |
| are guaranteed not to be killed in out-of-memory situations. |
| The meaning of limit is currently unspecified; it should be set to |
| \fBunlimited\fR. |
| .TP |
| \fB--lockedpages\fR \fIpages\fR[:\fIpages\fR] |
| Maximum number of pages acquired by \fBmlock\fR(2). |
| .TP |
| \fB--privvmpages\fR \fIpages\fR[:\fIpages\fR] |
| Allows controlling the amount of memory allocated by the applications. |
| For shared (mapped as \fBMAP_SHARED\fR) pages, each container really using |
| a memory page is charged for the fraction of the page (depending on the |
| number of others using it). For "potentially private" pages (mapped as |
| \fBMAP_PRIVATE\fR), container is charged either for a fraction of the size |
| or for the full size if the allocated address space. In the latter case, |
| the physical pages associated with the allocated address space may be |
| in memory, in swap or not physically allocated yet. |
| |
| The barrier and the limit of this parameter |
| control the upper boundary of the total size of allocated memory. Note that |
| this upper boundary does not guarantee that container will be able |
| to allocate that much memory. The primary mechanism to control memory |
| allocation is the \fB--vmguarpages\fR guarantee. |
| .TP |
| \fB--shmpages\fR \fIpages\fR[:\fIpages\fR] |
| Maximum IPC SHM segment size. |
| Setting the barrier and |
| the limit to different values does not make practical sense. |
| .TP |
| \fB--numfile\fR \fIitems\fR[:\fIitems\fR] |
| Maximum number of open files. In most cases the barrier and the limit |
| should be set to the same value. Setting the barrier to \fB0\fR effectively |
| disables pre-charging optimization for this beancounter in the kernel, |
| which leads to the held value being precise but could slightly degrade |
| file open performance. |
| .TP |
| \fB--numflock\fR \fIitems\fR[:\fIitems\fR] |
| Maximum number of file locks. Safety gap should be between barrier and limit. |
| .TP |
| \fB--numpty\fR \fIitems\fR[:\fIitems\fR] |
| Number of pseudo-terminals (PTY). Note that in OpenVZ each container can have |
| not more than 255 PTYs. Setting the barrier and |
| the limit to different values does not make practical sense. |
| .TP |
| \fB--numsiginfo\fR \fIitems\fR[:\fIitems\fR] |
| Number of siginfo structures. |
| Setting the barrier and |
| the limit to different values does not make practical sense. |
| .TP |
| \fB--dcachesize\fR \fIbytes\fR[:\fIbytes\fR] |
| Maximum size of filesystem-related caches, such as directory entry |
| and inode caches. Exists as a separate parameter to impose a limit |
| causing file operations to sense memory shortage and return an errno |
| to applications, protecting from memory shortages during critical |
| operations that should not fail. |
| Safety gap should be between barrier and limit. |
| .TP |
| \fB--numiptent\fR \fInum\fR[:\fInum\fR] |
| Number of iptables (netfilter) entries. |
| Setting the barrier and |
| the limit to different values does not make practical sense. |
| .TP |
| \fB--physpages\fR \fIpages\fR[:\fIpages\fR] |
| This is currently an accounting-only parameter. It shows the usage of RAM |
| by this container. Barrier should be set to 0, and limit should be set to |
| \fBunlimited\fR. |
| .TP |
| \fB--swappages\fR \fIpages\fR[:\fIpages\fR] |
| The limit, if set, is used to show a total amount of swap space available |
| inside the container. The barrier of this parameter is currently ignored. |
| The default value is \fBunlimited\fR, meaning total swap will be reported |
| as 0. |
| |
| Note that in order for the value to be shown as total swap space, |
| \fB--meminfo\fR parameter should be set to value other than \fBnone\fR. |
| |
| .TP |
| .B CPU fair scheduler parameters |
| .PP |
| These parameters control CPU usage by container. |
| .TP |
| \fB--cpuunits\fR \fInum\fR |
| CPU weight for a container. Argument is positive non-zero number, passed to |
| and used in the kernel fair scheduler. The larger the number is, the more |
| CPU time this container gets. Maximum value is 500000, minimal is 8. |
| Number is relative to weights of all the other running containers. |
| If \fBcpuunits\fR are not specified, default value of 1000 is used. |
| |
| You can set CPU weight for CT0 (host system itself) as well |
| (use \fBvzctl set 0 --cpuunits \fInum\fR). Usually, OpenVZ initscript |
| (\fB/etc/init.d/vz\fR) takes care of setting this. |
| .TP |
| \fB--cpulimit\fR \fInum\fR[\fB%\fR] |
| Limit of CPU usage for the container, in per cent. |
| Note if the computer has 2 CPUs, it has total of 200% CPU time. Default CPU |
| limit is \fB0\fR (no CPU limit). |
| .TP |
| \fB--cpus\fR \fInum\fR |
| sets number of CPUs available in the container. |
| .TP |
| \fB--cpumask\fR \fIcpus\fR | \fBall\fR |
| sets list of allowed CPUs for the container. |
| Input format is a comma-separated list of decimal numbers and ranges. |
| Consecutively set bits are shown as two hyphen-separated decimal numbers, |
| the smallest and largest bit numbers set in the range. |
| For example, if you want the container to execute on CPUs 0, 1, 2, 7, |
| you should pass \fB0-2,7\fR. |
| Default value is \fBall\fR (the container can execute on any CPU). |
| |
| .TP |
| .B Memory output parameters |
| .PP |
| This parameter control output of /proc/meminfo inside a container. |
| .TP |
| \fB--meminfo\fR \fBnone\fR |
| No /proc/meminfo virtualization (the same as on host system). |
| .TP |
| \fB--meminfo\fR \fImode\fR:\fIvalue\fR |
| Configure total memory output in a container. Reported free memory is evaluated |
| accordingly to the mode being set. Reported swap is evaluated |
| according to the settings of \fB--swappages\fR parameter. |
| |
| You can use the following modes for \fImode\fR: |
| .br |
| \(bu \fBpages\fR:\fIvalue\fR - sets total memory in pages; |
| .br |
| \(bu \fBprivvmpages\fR:\fIvalue\fR - sets total memory as |
| \fBprivvmpages\fR * \fIvalue\fR. |
| |
| Default is \fBprivvmpages:1\fR. |
| |
| .TP |
| .B iptables control parameters |
| .TP |
| \fB--iptables\fR \fIname\fR |
| Allow to use the functionality of \fIname\fR iptables module inside |
| the container. To specify multiple \fIname\fRs, repeat --iptables |
| for each, or use space-separated list as an argument |
| (enclosed in single or double quotes to protect spaces). |
| |
| The default list of enabled iptables modules is specified |
| by the \fBIPTABLES\fR variable in \fBvz.conf\fR(5). |
| |
| You can use the following values for \fIname\fR: |
| \fBiptable_filter\fR, \fBiptable_mangle\fR, \fBipt_limit\fR, |
| \fBipt_multiport\fR, \fBipt_tos\fR, \fBipt_TOS\fR, \fBipt_REJECT\fR, |
| \fBipt_TCPMSS\fR, \fBipt_tcpmss\fR, \fBipt_ttl\fR, \fBipt_LOG\fR, |
| \fBipt_length\fR, \fBip_conntrack\fR, \fBip_conntrack_ftp\fR, |
| \fBip_conntrack_irc\fR, \fBipt_conntrack\fR, \fBipt_state\fR, |
| \fBipt_helper\fR, \fBiptable_nat\fR, \fBip_nat_ftp\fR, \fBip_nat_irc\fR, |
| \fBipt_REDIRECT\fR, \fBxt_mac\fR, \fBipt_recent\fR, \fBipt_owner\fR. |
| |
| .TP |
| .B Network devices control parameters |
| .TP |
| \fB--netdev_add\fR \fIname\fR |
| move network device from the host system to a specified container |
| .TP |
| \fB--netdev_del\fR \fIname\fR |
| delete network device from a specified container |
| |
| .TP |
| .B Disk quota parameters |
| .TP |
| \fB--diskquota\fR \fByes\fR | \fBno\fR |
| allows to enable or disable disk quota for a container. By default, |
| a global value (\fBDISK_QUOTA\fR) from \fBvz.conf\fR(5) is used. |
| .TP |
| \fB--diskspace\fR \fInum\fR[:\fInum\fR] |
| sets soft and hard disk quota limits, in blocks. First parameter is soft limit, |
| second is hard limit. One block is currently equal to 1Kb. |
| Suffixes \fBG\fR, \fBM\fR, \fBK\fR can also be specified |
| (see \fBResource limits\fR section for more info on suffixes). |
| .TP |
| \fB--diskinodes\fR \fInum\fR[:\fInum\fR] |
| sets soft and hard disk quota limits, in i-nodes. First parameter is |
| soft limit, second is hard limit. |
| .TP |
| \fB--quotatime\fR \fIseconds\fR |
| sets quota grace period. Container is permitted to exceed its soft limits |
| for the grace period, but once it has expired, the soft limit is enforced |
| as a hard limit. |
| .TP |
| \fB--quotaugidlimit\fR \fInum\fR |
| sets maximum number of user/group IDs in a container for which disk quota inside |
| the container will be accounted. If this value is set to \fB0\fR, user and group |
| quotas inside the container will not be accounted. |
| |
| Note that if you have previously set value of this parameter to \fB0\fR, |
| changing it while the container is running will not take effect. |
| |
| .TP |
| .B Mount option |
| .TP |
| \fB--noatime\fR \fByes\fR | \fBno\fR |
| Sets noatime flag (do not update inode access times) on filesystem. |
| |
| .TP |
| .B Capability option |
| .TP |
| \fB--capability\fR \fIcapname\fR:\fBon\fR|\fBoff\fR |
| Sets a capability for a container. Note that setting capability when |
| the container is running does not take immediate effect; restart the container |
| in order for the changes to take effect. Note a container has default set |
| of capabilities, thus any operation on capabilities is "logical and" |
| with the default capability mask. |
| |
| You can use the following values for \fIcapname\fR: |
| \fBchown\fR, \fBdac_override\fR, \fBdac_read_search\fR, \fBfowner\fR, |
| \fBfsetid\fR, \fBkill\fR, \fBsetgid\fR, \fBsetuid\fR, |
| \fBsetpcap\fR, \fBlinux_immutable\fR, \fBnet_bind_service\fR, |
| \fBnet_broadcast\fR, \fBnet_admin\fR, \fBnet_raw\fR, |
| \fBipc_lock\fR, \fBipc_owner\fR, \fBsys_module\fR, \fBsys_rawio\fR, |
| \fBsys_chroot\fR, \fBsys_ptrace\fR, \fBsys_pacct\fR, |
| \fBsys_admin\fR, \fBsys_boot\fR, \fBsys_nice\fR, \fBsys_resource\fR, |
| \fBsys_time\fR, \fBsys_tty_config\fR, \fBmknod\fR, \fBlease\fR, |
| \fBsetveid\fR, \fBve_admin\fR. For detailed description, see |
| .BR capabilities (7). |
| |
| \fBWARNING\fR: setting some of those capabilities may have far reaching security |
| implications, so do not do it unless you know what you are doing. Also note |
| that setting \fBsetpcap:on\fR for a container will most probably lead to |
| inability to start it. |
| |
| .TP |
| .B Device access management |
| .TP |
| \fB--devnodes\fR \fIdevice\fR:[\fBr\fR][\fBw\fR][\fBq\fR]|\fBnone\fR |
| Give the container an access (\fBr\fR - read, \fBw\fR - write, |
| \fBq\fR - disk quota management, \fBnone\fR - no access) |
| to a device designated by the special file /dev/\fIdevice\fR. Device file |
| is created in a container by \fBvzctl\fR. Example: |
| \fBvzctl set 777 --devnodes sdb:rwq\fR. |
| .TP |
| \fB--devices\fR \fBb\fR|\fBc\fR:\fImajor\fR:\fIminor\fR|\fBall\fR:[\fBr\fR][\fBw\fR][\fBq\fR]|\fBnone\fR |
| Give the container an access to a \fBb\fRlock or \fBc\fRharacter device |
| designated by its \fImajor\fR and \fIminor\fR numbers. Device file have to be created manually. |
| |
| .TP |
| .B PCI device management |
| .TP |
| \fB--pci_add\fR [\fIdomain\fR:]\fIbus\fR:\fIslot\fR.\fIfunc\fR |
| Give the container an access to a specified PCI device. All numbers are |
| hexadecimal (as printed by \fBlspci\fR(8) in the first column). |
| .TP |
| \fB--pci_del\fR [\fIdomain\fR:]\fIbus\fR:\fIslot\fR.\fIfunc\fR |
| Delete a PCI device from the container. |
| |
| Note that \fBvps-pci\fR configuration script is executed by \fBvzctl\fR |
| then configuring PCI devices. The script is usually located at |
| \fB/usr/lib[64]/vzctl/scripts/\fR. |
| |
| .TP |
| .B Features management |
| .TP |
| \fB--features\fR \fIname\fR:\fBon\fR|\fBoff\fR |
| Enable or disable a specific container feature. |
| Known features are: \fBsysfs\fR, \fBnfs\fR, \fBsit\fR, \fBipip\fR, \fBppp\fR, |
| \fBipgre\fR, \fBbridge\fR, \fBnfsd\fR. |
| |
| .TP |
| .B Apply config |
| .TP |
| \fB--applyconfig\fR \fIname\fR |
| Read container parameters from the container sample configuration file |
| \fB\f(CW/etc/vz/conf/ve-\fIname\fR\fB\f(CW.conf-sample\fR, and |
| apply them, if \fB--save\fR option specified save to the container config file. |
| The following parameters are not changed: \fBHOSTNAME\fR, \fBIP_ADDRESS\fR, |
| \fBOSTEMPLATE\fR, \fBVE_ROOT\fR, and \fBVE_PRIVATE\fR. |
| .TP |
| \fB--applyconfig_map\fR \fIgroup\fR |
| Apply container config parameters selected by \fIgroup\fR. Now the only |
| possible value for \fIgroup\fR is \fBname\fR: |
| to restore container name based on \fBNAME\fR |
| variable in container configuration file. |
| |
| .TP |
| .B I/O priority management |
| .TP |
| \fB--ioprio\fR \fIpriority\fR |
| Assigns I/O priority to container. \fIPriority\fR range is \fB0-7\fR. |
| The greater \fIpriority\fR is, the more time for I/O activity container has. |
| By default each container has \fIpriority\fR of \fB4\fR. |
| |
| .SS Checkpointing and restore |
| |
| Checkpointing is a feature of OpenVZ kernel which allows to save a complete |
| state of a running container, and to restore it later. |
| .TP 4 |
| \fBchkpnt\fR \fICTID\fR [\fB--dumpfile\fR \fIname\fR] |
| This command saves a complete state of a running container to a dump file, |
| and stops the container. If an option \fB--dumpfile\fR is not set, default |
| dump file name \fB/vz/dump/Dump.\fICTID\fR is used. |
| .TP 4 |
| \fBrestore\fR \fICTID\fR [\fB--dumpfile\fR \fIname\fR] |
| This command restores a container from the dump file created by the |
| \fBchkpnt\fR command. |
| |
| .SS Performing container actions |
| |
| .IP "\fBcreate\fR \fICTID\fR [\fB--ostemplate\fR \fIname\fR] [\fB--config\fR \fIname\fR] [\fB--private\fR \fIpath\fR] [\fB--root\fR \fIpath\fR] [\fB--ipadd\fR \fIaddr\fR] [\fB--hostname\fR \fIname\fR]" 4 |
| Creates a new container area. This operation should be done once, before |
| the first start of the container. |
| |
| If the \fB--config\fR option is specified, values from |
| example configuration file |
| \f(CW\fB/etc/vz/conf/ve-\fIname\fR\f(CW\fB.conf-sample\fR |
| are put into the container configuration file. If this container configuration |
| file already exists, it will be removed. |
| |
| You can use \fB--root\fR \fIpath\fR option to sets the path to the mount |
| point for the container root directory (default is \fBVE_ROOT\fR specified in |
| \fBvz.conf\fR(5) file). Argument can contain literal string \fB$VEID\fR, |
| which will be substituted with the numeric CT ID. |
| |
| You can use \fB--private\fR \fIpath\fR option to set the path to directory |
| in which all the files and directories specific to this very container |
| are stored (default is \fBVE_PRIVATE\fR specified in \fBvz.conf\fR(5) file). |
| Argument can contain literal string \fB$VEID\fR, which will be substituted with |
| the numeric CT ID. |
| |
| You can use \fB--ipadd\fR \fIaddr\fR option to assign an IP address to |
| a container. Note that this option can be used multiple times. |
| |
| You can use \fB--hostname\fR \fIname\fR option to set a host name for |
| a container. |
| .IP "\fBdestroy\fR | \fBdelete\fR" 4 |
| Removes a container private area by deleting all files, directories and |
| the configuration file of this container. |
| .IP "\fBstart\fR [\fB--wait\fR] [\fB--force\fR]" 4 |
| Mounts (if necessary) and starts a container. Unless \fB--wait\fR option |
| is specified, \fBvzctl\fR will return immediately; otherwise an attempt to |
| wait till the default runlevel is reached will be made by \fBvzctl\fR. |
| |
| Specify \fB--force\fR if you want to start a container which is disabled |
| (see \fB--disabled\fR). |
| |
| Note that this command can lead to execution of \fBpremount\fR, \fBmount\fR |
| and \fBstart\fR action scripts (see \fBACTION SCRIPTS\fR below). |
| .IP "\fBstop\fR [\fB--fast\fR]" 4 |
| Stops and unmounts a container. Normally, \fBhalt\fR(8) is executed |
| inside a container; option \fB--fast\fR makes \fBvzctl\fR use |
| \fBreboot\fR(2) syscall instead which is faster but can lead to |
| unclean container shutdown. |
| |
| Note that this command can lead to execution of \fBstop\fR, |
| \fBumount\fR and \fBpostumount\fR action scripts |
| (see \fBACTION SCRIPTS\fR below). |
| .IP \fBrestart\fR 4 |
| Restarts a container, i.e. stops it if it is running, and starts again. |
| Accepts all the \fBstart\fR and \fBstop\fR options. |
| |
| Note that this command can lead to execution of some action scripts |
| (see \fBACTION SCRIPTS\fR below). |
| .IP \fBstatus\fR 4 |
| Shows a container status. This is a line with five or six words, |
| separated by spaces. |
| |
| First word is literally \fBCTID\fR. |
| |
| Second word is the numeric \fICT ID\fR. |
| |
| Third word is showing whether this container exists or not, |
| it can be either \fBexist\fR or \fBdeleted\fR. |
| |
| Fourth word is showing the status of the container filesystem, |
| it can be either \fBmounted\fR or \fBunmounted\fR. |
| |
| Fifth word shows if the container is running, |
| it can be either \fBrunning\fR or \fBdown\fR. |
| |
| Sixth word, if exists, is \fBsuspended\fR. It appears if both a container |
| and its dump file exist (see \fBchkpnt\fR). |
| |
| This command can also be usable from scripts. |
| .IP \fBmount\fR 4 |
| Mounts container private area. Note that this command can lead |
| to execution of \fBpremount\fR and \fBmount\fR action scripts |
| (see \fBACTION SCRIPTS\fR below). |
| .IP \fBumount\fR 4 |
| Unmounts container private area. Note that this command can lead |
| to execution of \fBumount\fR and \fBpostumount\fR action scripts |
| (see \fBACTION SCRIPTS\fR below). |
| |
| Note that \fBstop\fR does \fBumount\fR automatically. |
| .IP "\fBquotaon\fR \fIctid\fR" 4 |
| Turn disk quota on. Not that \fBmount\fR and \fBstart\fR does that |
| automatically. |
| .IP "\fBquotaoff\fR \fIctid\fR" 4 |
| Turn disk quota off. Not that \fBumount\fR and \fBstop\fR |
| does that automatically. |
| .IP "\fBquotainit\fR \fIctid\fR" 4 |
| Initialize disk quota (i.e. run \fBvzquota init\fR) with the parameters |
| taken from the CT configuration file \fBctid.conf\fR(5). |
| .IP "\fBexec\fR \fICTID\fR \fIcommand\fR" 4 |
| Executes \fIcommand\fR in a container. Environment variables are not set |
| inside the container. |
| Signal handlers may differ from default settings. If \fIcommand\fR is \fB-\fR, |
| commands are read from stdin. |
| .IP "\fBexec2\fR \fICTID\fR \fIcommand\fR" 4 |
| The same as \fBexec\fR, but return code is that of \fIcommand\fR. |
| .IP "\fBrunscript\fR \fICTID\fR \fIscript\fR" 4 |
| Run specified shell script in the container. Argument \fIscript\fR is a file |
| on the host system which contents is read by vzctl and executed in the |
| context of the container. For a running container, the command jumps |
| into the container and executes the script. For a stopped container, it |
| enters the container, mounts container's root filesystem, executes the |
| script, and unmounts CT root. In the latter case, the container is not |
| really started, no file systems other than root (such as \fB/proc\fR) |
| are mounted, no startup scripts are executed etc. Thus the environment |
| in which the script is running is far from normal and is only usable for |
| very basic operations. |
| .IP "\fBenter\fR [\fB--exec \fIcommand\fR [\fIarg\fR ...]]" 4 |
| Enters into a container (giving a container's root shell). This option |
| is a back-door for host root only. The proper way to have CT root shell |
| is to use \fBssh\fR(1). |
| |
| Option \fB--exec\fR is used to run \fIcommand\fR with arguments |
| after entering into container. This is useful if command to be run |
| requires a terminal (so \fBvzctl exec\fR can not be used) and for |
| some reason you can not use \fBssh\fR(1). |
| |
| You need to log out manually from the shell to finish session |
| (even if you specified \fB--exec\fR). |
| |
| .SS Other options |
| |
| .IP \fB--help\fR 4 |
| Prints help message with a brief list of possible options. |
| .IP \fB--version\fR 4 |
| Prints \fBvzctl\fR version. |
| .SH ACTION SCRIPTS |
| \fBvzctl\fR has an ability to execute user-defined scripts when |
| a specific \fBvzctl\fR command is run for a container. The following |
| \fBvzctl\fR commands can trigger execution of action scripts: |
| \fBstart\fR, \fBstop\fR, \fBrestart\fR, \fBmount\fR and \fBumount\fR. |
| |
| Action scripts are located in the \fB/etc/vz/conf/\fR directory. There |
| are global and per-CT scripts. Global scripts have a literal prefix of |
| \fBvps.\fR and are executed for all containers. Per-CT scripts have |
| a \fICTID\fR numeric prefix and are executed for the given container |
| only. |
| |
| There are 8 action scripts currently defined: |
| .IP "\fBvps.premount\fR, \fICTID\fB.premount\fR" |
| Global and per-CT mount scripts which are executed for a |
| container before it is mounted. Scripts are executed in the host OS |
| context, while a CT is not yet mounted or running. Global script, |
| if exists, is executed first. |
| .IP "\fBvps.mount\fR, \fICTID\fB.mount\fR" |
| Global and per-CT mount scripts which are executed for a |
| container right after it is mounted. Otherwise they are the same |
| as \fB.premount\fR scripts. |
| .IP \fICTID\fB.start\fR |
| Right after \fBvzctl\fR has started a container, it executes this script |
| in a container context. |
| .IP \fICTID\fB.stop\fR |
| Right before \fBvzctl\fR has stopped a container, it executes this script |
| in a container context. |
| .IP "\fBvps.umount\fR, \fICTID\fB.umount\fR" |
| Global and per-CT umount scripts which are executed for a |
| container before it is unmounted. Scripts are executed |
| in the host OS context, while a CT is mounted. Global script, |
| if exists, is executed first. |
| .IP "\fBvps.postumount\fR, \fICTID\fB.postumount\fR" |
| Global and per-CT umount scripts which are executed for a |
| container right after it is unmounted. Otherwise they are the same |
| as \fB.umount\fR scripts. |
| |
| The environment passed to all the \fB*mount\fR scripts is the standard |
| environment of the parent (i.e. \fBvzctl\fR) with two additional |
| variables: \fB$VEID\fR and \fB$VE_CONFFILE\fR. The first one holds |
| the ID of the container, and the second one holds the full path |
| to the container configuration file. If the script needs to get other |
| CT configuration parameters, such as \fB$VE_ROOT\fR, it needs to get |
| those from global and per-CT configuration files. |
| |
| Here is an example of a mount script, which makes host system's |
| /mnt/disk available to container(s). Script name can either be |
| \fB/etc/vz/conf/vps.mount\fR or \fB/etc/vz/conf/\fICTID\fB.mount\fR. |
| |
| .nf |
| .ps -1 |
| .ft CR |
| # If one of these files does not exist then something |
| # is really broken |
| [ -f /etc/sysconfig/vz ] || exit 1 |
| [ -f $VE_CONFFILE ] || exit 1 |
| # Source both files. Note the order is important. |
| . /etc/vz/vz.conf |
| . $VE_CONFFILE |
| mount -n --bind /mnt/disk $VE_ROOT/mnt/disk |
| .ft |
| .fi |
| .SH EXIT STATUS |
| Returns 0 upon success, or an appropriate error code in case of an error: |
| .IP 1 |
| Failed to set a UBC parameter |
| .IP 2 |
| Failed to set a fair scheduler parameter |
| .IP 3 |
| Generic system error |
| .IP 5 |
| The running kernel is not an OpenVZ kernel (or some OpenVZ modules are not loaded) |
| .IP 6 |
| Not enough system resources |
| .IP 7 |
| \fBENV_CREATE\fR ioctl failed |
| .IP 8 |
| Command executed by \fBvzctl exec\fR returned non-zero exit code |
| .IP 9 |
| Container is locked by another \fBvzctl\fR invocation |
| .IP 10 |
| Global OpenVZ configuration file \fBvz.conf\fR(5) not found |
| .IP 11 |
| A vzctl helper script file not found |
| .IP 12 |
| Permission denied |
| .IP 13 |
| Capability setting failed |
| .IP 14 |
| Container configuration file \fBctid.conf\fR(5) not found |
| .IP 15 |
| Timeout on \fBvzctl exec\fR |
| .IP 16 |
| Error during \fBvzctl chkpnt\fR |
| .IP 17 |
| Error during \fBvzctl restore\fR |
| .IP 18 |
| Error from \fBsetluid()\fR syscall |
| .IP 20 |
| Invalid command line parameter |
| .IP 21 |
| Invalid value for command line parameter |
| .IP 22 |
| Container root directory (\fBVE_ROOT\fR) not set |
| .IP 23 |
| Container private directory (\fBVE_PRIVATE\fR) not set |
| .IP 24 |
| Container template directory (\fBTEMPLATE\fR) not set |
| .IP 28 |
| Not all required UBC parameters are set, unable to start container |
| .IP 29 |
| OS template is not specified, unable to create container |
| .IP 31 |
| Container not running |
| .IP 32 |
| Container already running |
| .IP 33 |
| Unable to stop container |
| .IP 34 |
| Unable to add IP address to container |
| .IP 40 |
| Container not mounted |
| .IP 41 |
| Container already mounted |
| .IP 43 |
| Container private area not found |
| .IP 44 |
| Container private area already exists |
| .IP 46 |
| Not enough disk space |
| .IP 47 |
| Bad/broken container (\fB/sbin/init\fR or \fB/bin/sh\fR not found) |
| .IP 48 |
| Unable to create a new container private area |
| .IP 49 |
| Unable to create a new container root area |
| .IP 50 |
| Unable to mount container |
| .IP 51 |
| Unable to unmount container |
| .IP 52 |
| Unable to delete a container |
| .IP 53 |
| Container private area not exist |
| .IP 60 |
| \fBvzquota on\fR failed |
| .IP 61 |
| \fBvzquota init\fR failed |
| .IP 62 |
| \fBvzquota setlimit\fR failed |
| .IP 63 |
| Parameter \fBDISKSPACE\fR not set |
| .IP 64 |
| Parameter \fBDISKINODES\fR not set |
| .IP 66 |
| \fBvzquota off\fR failed |
| .IP 67 |
| ugid quota not initialized |
| .IP 71 |
| Incorrect IP address format |
| .IP 74 |
| Error changing password |
| .IP 78 |
| IP address already in use |
| .IP 79 |
| Container action script returned an error |
| .IP 82 |
| Config file copying error |
| .IP 86 |
| Error setting devices (\fB--devices\fR or \fB--devnodes\fR) |
| .IP 89 |
| IP address not available |
| .IP 91 |
| OS template not found |
| .IP 100 |
| Unable to find container IP address |
| .IP 104 |
| \fBVE_NETDEV\fR ioctl error |
| .IP 105 |
| Container start disabled |
| .IP 106 |
| Unable to set iptables on a running container |
| .IP 107 |
| Distribution-specific configuration file not found |
| .IP 109 |
| Unable to apply a config |
| .IP 129 |
| Unable to set meminfo parameter |
| .IP 130 |
| Error setting veth interface |
| .IP 131 |
| Error setting container name |
| .IP 133 |
| Waiting for container start failed |
| .IP 139 |
| Error saving container configuration file |
| .IP 148 |
| Error setting container IO parameters (ioprio) |
| .SH EXAMPLES |
| To create and start "basic" container with ID of 1000 using |
| \fBcentos-5\fR OS template and IP address of 192.168.10.200: |
| .br |
| \f(CR vzctl create 1000 --ostemplate centos-5 --config basic |
| .br |
| \f(CR vzctl set 1000 --ipadd 192.168.10.200 --save |
| .br |
| \f(CR vzctl start 1000 |
| \fR |
| .P |
| To set number of processes barrier/limit to 80/100, and |
| PTY barrier/limit to 16/20 PTYs: |
| .br |
| \f(CR vzctl set 1000 --numproc 80:100 -t 16:20 --save |
| \fR |
| .P |
| To execute command \fBls -la\fR in this container: |
| .br |
| \f(CR vzctl exec 1000 /bin/ls -la |
| \fR |
| .P |
| To execute command pipe \fBls -l / | sort\fR in this container: |
| .br |
| \f(CR vzctl exec 1000 'ls -l / | sort' |
| \fR |
| .P |
| To enter this container and execute command \fBapt-get install vim\fR: |
| .br |
| \f(CR vzctl enter 1000 --exec apt-get install vim |
| \fR |
| .P |
| Note that in the above example you will need to log out from the |
| container's shell after apt-get finishes. |
| .P |
| To enter this container, execute command \fBapt-get install vim\fR and |
| logout after successful installation (or stay inside the container |
| if installation process failed) use \fB&&\fR: |
| .br |
| \f(CR vzctl enter 1000 --exec "apt-get install vim && logout" |
| \fR |
| .P |
| To enter this container, execute command \fBapt-get install vim\fR and logout |
| independently of exit code of installation process use \fB;\fR: |
| .br |
| \f(CR vzctl enter 1000 --exec "apt-get install vim ; logout" |
| \fR |
| .P |
| Note that you need to quote the command if you use \fB&&\fR or \fB;\fR. |
| .P |
| To stop this container: |
| .br |
| \f(CR vzctl stop 1000 |
| \fR |
| .P |
| To permanently remove this container: |
| .br |
| \f(CR vzctl destroy 1000 |
| \fR |
| .SH FILES |
| .ad l |
| \fB\f(CR/etc/vz/vz.conf |
| .br |
| /etc/vz/conf/\fICTID\fB\f(CR.conf |
| .br |
| /etc/vz/conf/vps.{premount,mount,umount,postumount} |
| .br |
| /etc/vz/conf/\fICTID\fB\f(CR.{premount,mount,start,stop,umount,postumount} |
| .br |
| /proc/vz/veinfo |
| .br |
| /proc/vz/vzquota |
| .br |
| /proc/user_beancounters |
| .br |
| /proc/bc/* |
| .br |
| /proc/fairsched\fR |
| .SH SEE ALSO |
| .BR vz.conf (5), |
| .BR ctid.conf (5), |
| .BR arpsend (8), |
| .BR vzcalc (8), |
| .BR vzcfgvalidate (8), |
| .BR vzcpucheck (8), |
| .BR vzifup-post (8), |
| .BR vzlist (8), |
| .BR vzmemcheck (8), |
| .BR vzmigrate (8), |
| .BR vzpid (8), |
| .BR vzquota (8), |
| .BR vzsplit (8), |
| .BR http://wiki.openvz.org/UBC . |
| .SH LICENSE |
| Copyright (C) 2000-2011, Parallels, Inc. Licensed under GNU GPL. |